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Abstract: Public-key quantum money is a cryptographic protocol in which a bank can create quantum 
states which anyone can verify but no one except possibly the bank can clone or forge. There are 
no secure public-key quantum money schemes in the literature; as we show in this paper, the only 
previously published scheme [ ] is insecure. We introduce a category of quantum money protocols 
which we call collision-free. For these protocols, even the bank cannot prepare multiple identical- 
looking pieces of quantum money. We present a blueprint for how such a protocol might work as well 
as a concrete example which we believe may be insecure. 
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1 Introduction 

In 1969, Wiesner [ ] pointed out that the no- 
cloning theorem raises the possibility of uncopy- 
able cash: bills whose authenticity would be guar- 
anteed by quantum physics. 1 Here's how Wies- 
ner's scheme works: besides an ordinary serial 
number, each bill would contain (say) a few hun- 
dred photons, which the central bank polarized in 
random directions when it issued the note. The 
bank remembers the polarization of every photon 
on every bill ever issued. If you want to verify 
that a bill is genuine, you take it to the bank, and 
the bank uses its knowledge of the polarizations 
to measure the photons. On the other hand, the 
No-Cloning Theorem ensures that someone who 
doesn't know the polarization of a photon can't 
produce more photons with the same polarizations. 
Indeed, copying a bill can succeed with probability 
at most (5/6)™, where n is the number of photons 

'This is the same paper that introduced the idea of quan- 
tum cryptography. Wiesner's paper was not published until 
the 1980s; the field of quantum computing and information (to 
which it naturally belonged) had not yet been invented. 



per bill. 

Despite its elegance, Wiesner's quantum money 
is a long way from replacing classical money. The 
main practical problem is that we don't know how 
to reliably store polarized photons (or any other co- 
herent quantum state) for any appreciable length of 
time. 

Yet, even if we could solve the technological 
problems, Wiesner's scheme would still have a se- 
rious drawback: only the bank can verify that a bill 
is genuine. Ideally, printing bills ought to be the 
exclusive prerogative of the bank, but the check- 
ing process ought to be open to anyone — think of 
a convenience-store clerk holding up a $20 bill to 
a light. 

But, with quantum mechanics, it may be pos- 
sible to have quantum money satisfying all three 
requirements: 

1. The bank can print it. That is, there is an 
efficient algorithm to produce the quantum 
money state. 

2. Anyone can verify it. That is, there is an effi- 
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cient measurement that anyone can perform 
that accepts money produced by the bank 
with high probability and minimal damage. 

3. No one (except possibly the bank) can copy 
it. That is, no one other than the bank can effi- 
ciently produce states that are accepted by the 
verifier with better than exponentially small 
probability. 

We call such a scheme a public-key quantum 
money scheme, by analogy with public-key cryp- 
tography. Such a scheme cannot be secure 
against an adversary with unbounded computa- 
tional power, since a brute-force search will find 
valid money states in exponential time. Surpris- 
ingly, the question of whether public -key quantum 
money schemes are possible under computational 
assumptions has remained open for forty years, 
from Wiesner's time until today. 

The first proposal for a public -key quantum 
money scheme, along with a proof that such 
money exists in an oracle model, appeared in [1]. 
We show in section 3 that the proposed quantum 
money scheme is insecure. 

In this paper we introduce the idea of collision- 
free quantum money, which is public-key quan- 
tum money with the added restriction that no one, 
not even the bank, can efficiently produce two 
identical-looking pieces of quantum money. We 
discuss the prospect of implementing collision- 
free quantum money and its uses in section 2 be- 
low. 

The question of whether secure public-key 
quantum money exists remains open. 

2 Two kinds of quantum money 

All public-key quantum money schemes need 
some mechanism to identify the bank and prevent 
other parties from producing money the same way 
that the bank does. A straightforward way of ac- 
complishing this is to have the money consist of a 
quantum state and a classical description, digitally 
signed by the bank, of a circuit to verify the quan- 
tum state. Digital signatures secure against quan- 
tum adversaries are believed to exist, so we do not 
discuss the signature algorithm in the remainder of 
the paper. 

Alternatively, if the bank produces a fixed num- 
ber of quantum money states, it could publish a list 



of all the verification circuits of all the valid money 
states, and anyone could check that the verifier of 
their money state is in that list. This alternative is 
discussed further in section 2.2. 

2.1 Quantum money with a classical secret 

Public-key quantum money is a state which can 
be produced by a bank and verified by anyone. 
One way to design quantum money is to have the 
bank choose, for each instance of the money, a 
classical secret which is a description of a quan- 
tum state that can be efficiently generated and use 
that secret to manufacture the state. The bank then 
constructs an algorithm to verify that state and dis- 
tributes the state and a description of the algorithm 
as "quantum money." We will refer to protocols of 
this type as quantum money with a classical secret. 
The security of such a scheme relies on the dif- 
ficulty of deducing the classical secret given both 
the verification circuit and a copy of the state. 

A simple but insecure scheme for this type of 
quantum money is based on random product states. 
The bank chooses a string of n uniformly ran- 
dom angles 9i between and 2ir. This string is 
the classical secret. Using these angles, the bank 
generates the state = where \di) = 

cos#i|0) + sin#j|l) and chooses a set of (say) 4- 
local projectors which are all orthogonal to \ip). 
The quantum money is the state and a clas- 
sical description of the projectors, and anyone can 
verify the money by measuring the projectors. 

It is NP-hard to produce the state \ip) given only 
a description of the projectors, and given only the 
state, the no-cloning theorem states that the state 
cannot be copied. However, this quantum money 
is insecure because of a fully quantum attack [ ] 
that uses a copy of the state and the description of 
the projectors to produce additional copies of the 
state. A more sophisticated example of quantum 
money with a classical secret is described in [1]. A 
different scheme was proposed Mosca and Stebila 
in [ ]. The latter scheme requires a classical oracle 
that we do not know how to construct. 

All quantum money schemes which rely on 
a classical secret in this way have the property, 
shared with ordinary bank notes and coins, that an 
unscrupulous bank can produce multiple pieces of 
identical money. Also, if there is a classical secret, 
there is the risk that some classical algorithm can 
deduce the secret from the verification algorithm 
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(we show in section 3 that the scheme of [ ] fails 
under some circumstances for exactly this reason). 

2.2 Collision-free quantum money 

An alternative kind of quantum money is 
collision-free. This means that the bank cannot 
efficiently produce two pieces of quantum money 
with the same classical description of the verifica- 
tion circuit. This rules out protocols in which the 
verification circuit is associated with a classical se- 
cret which allows the bank to produce the state. 
(For example, in the product state construction in 
the previous section, the set of angles would allow 
the bank to produce any number of identical pieces 
of quantum money.) 

Collision-free quantum money has a useful 
property that even uncounterfeitable paper money 
(if it existed) would not have: instead of just digi- 
tally signing the verification circuit for each piece 
of money, the bank could publish a list describing 
the verification circuit of each piece of money it in- 
tends to produce. These verification circuits would 
be like serial numbers on paper money, but, since 
the bank cannot cheat by producing two pieces of 
money with the same serial number, it cannot pro- 
duce more money than it says. This means that the 
bank cannot inflate the currency by secretly print- 
ing extra money. 

We expect that computationally secure 
collision-free quantum money is possible. 
We do not have a concrete implementation of 
such a scheme, but in the next few sections, we 
give a blueprint for how a collision-free quantum 
money scheme could be constructed. We hope 
that somebody produces such a scheme which will 
not be vulnerable to attack. 

2.2.1 Quantum money by postselection 

Our approach to collision-free quantum money 
starts with a classical set. For concreteness, we 
will take this to be the set of n-bit strings. We need 
a classical function L that assigns a label to each 
element of the set. There should be an exponen- 
tially large set of labels and an exponentially large 
number of elements with each label. Furthermore, 
no label should correspond to more than an expo- 
nentially small fraction of the set. The function L 
should be as obscure and have as little structure as 
possible. The same function can be used to gener- 
ate multiple pieces of quantum money. Each piece 



of quantum money is a state of the form 

v x S.t. L(x)=t 

along with the label I which is used as part of the 
verification procedure (Ni is the number of terms 
in the sum). The function L must have some addi- 
tional structure in order to verify the state. 

Such a state can be generated as follows. First, 
produce the equal superposition over all n-bit 
strings. Then compute the function L into an an- 
cilla register and measure that register to obtain a 
particular value I, The state left over after mea- 
surement will be 

The quantum money state \tpg) is the equal su- 
perposition of exponentially many terms which 
seemingly have no particular relationship to each 
other. Since no label occurs during the postse- 
lection procedure above with greater than expo- 
nentially small probability, the postselection pro- 
cedure would have to be repeated exponentially 
many times to produce the same label I twice. If 
the labeling function L is a black box with no ad- 
ditional structure, then Graver's lower bound rules 
out any polynomial time algorithm that can pro- 
duce the state \ipi) given only knowledge of I, We 
conjecture that it is similarly difficult to copy a 
state or to produce the state \tp() ® \tpi) for 
any I at all. 

It remains to devise an algorithm to verify the 
money. 

2.2.2 Verification using rapidly mixing 
Markov chains 

The first step of any verification algorithm is to 
measure the function L to ensure that the state is a 
superposition of basis vectors associated with the 
correct label £, The more difficult task is to verify 
that it is the correct superposition 

Our verification procedure requires some addi- 
tional structure in the function L: we assume that 
we know of a classical Markov matrix M which, 
starting from any distribution over bit strings with 
the same label £, rapidly mixes to the uniform dis- 
tribution over those strings but does not mix be- 
tween strings with different £. This Markov chain 
must have a special form: each update must consist 
of a uniform random choice over N update rules, 
where each update rule is deterministic and invert- 
ible. We can consider the action of the operator M 
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on the Hilbert space in which our quantum money 
lives (M is, in general, neither unitary nor Hermi- 
tian). Acting on states in this Hilbert space, any 
valid quantum money state \tp() is a +1 eigenstate 
of M and, in fact, 

Af«]T|^)(^| (1) 
i 

where the approximation is exponentially good for 
polynomially large r. This operator, when re- 
stricted to states with a given label £, approxi- 
mately projects onto the money state After 
measuring the label I as above, the final step of our 
verification procedure is to measure M r for suffi- 
ciently large r as we describe below. Even using 
the Markov chain M, we do not know of a gen- 
eral way to efficiently copy quantum money states 

Any deterministic, invertible function corre- 
sponds to a permutation of its domain; we can 
write the Markov matrix as the average of N such 
permutations p over the state space, where Pj cor- 
responds to the i th update rule. That is 

1 N 

i=i 

We define a controlled update U of the state, 
which is a unitary quantum operator on two reg- 
isters (the first holds an n-bit string and the second 
holds numbers from 1 to N) 

U = J2 p i®\i)(i\- 

i 

Given some initial quantum state on n qubits, 
we can add an ancilla in a uniform superposition 
over all i (from 1 to TV). We then apply the uni- 
tary U, measure the projector of the ancilla onto 
the uniform superposition, and discard the ancilla. 
The Kraus operator sum element corresponding to 
the outcome 1 is 




This operation can be implemented with one call to 
controlled-Pi and additional overhead logarithmic 
in N. Repeating this operation r times, the Kraus 
operator corresponding to all outcomes being 1 is 
M r . The probability that all of the outcomes are 
1 starting from a state \<j>) is ||M r |<^)|| and the 
resulting state is M r \(f>) / || M r \(f>) | . If choose a 
large enough number of iterations r, we approxi- 
mate a measurement of J2i \4 ! e)(' l Pe\ as m ec l- 1- 

This construction has the caveat that, if the out- 
comes are not all 1, the final state is not (1 — 
M r )\ip). This can be corrected by deferring all 
measurements, computing an indicator of whether 
all outcomes were 1, and uncomputing everything 
else, but, as we do not care about the final state of 
bad quantum money, we do not need this correc- 
tion. 

2.3 An example of quantum money by post- 
selection 

2.3.1 Constructing a label function 

One approach to creating the labeling function L 
from Sec. 2.2. 1 is to concatenate the output of mul- 
tiple single-bit classical cryptographic hash func- 
tions, 2 each of which acts on some subset of the 
qubits in the money state. We will describe such a 
scheme in this section, which has promising prop- 
erties but is most likely insecure. 

We start by randomly choosing \s/n\ subsets of 
the n bits, where each bit is in 10 of the subsets. 
We associate a different binary valued hash func- 
tion with each subset. The hash function associ- 
ated with a particular subset maps the bits in that 
subset to either or 1 . The labeling function L is 
the \y/n\ -bit string which contains the outputs of 
all the hash functions. 

The bank can produce a random pair (£, \ipe)), 
where is the uniform superposition of all bit 
strings that hash to the values corresponding to the 
label t, by using the algorithm in Sec. 2.2.1. 

2.3.2 Verifying the Quantum Money 

As in Sec. 2.2.2, we verify the money using a 
Markov chain. The update rule for the Markov 
chain is to choose a bit at random and flip the bit 
if and only if flipping that bit would not change 

2 A simpler apprach would be to hash the entire n-bit string 
onto a smaller, but still exponentially large, set of labels. We do 
not pursue this approach because we do not know of any way 
to verify the resulting quantum money states. 
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the label (i.e. if all of the hash function that in- 
clude that bit do not change value, which happens 
with roughly constant probability). This Markov 
chain is not ergodic, because there are probably 
many assignments to all the bits which do not al- 
low any of the bits to be flipped. These assign- 
ments, along with some other possible assignments 
that mix slowly, can be excluded from the superpo- 
sition, and the verification circuit may still be very 
close to a projector onto the resulting money state. 

2.3.3 A weakness of this quantum money 

A possible weakness of our hash-based labeling 
function as defined above is that the label is not 
an opaque value — the labels of two different bit 
strings are related to the difference between those 
strings. Specifically, the problem of finding strings 
that map to a particular label I is a constraint sat- 
isfaction problem, and the Hamming distance be- 
tween the label I' — L (x) and £ is the number of 
clauses that the string x violates. 

We are concerned about the security of this 
scheme because it may be possible to use the struc- 
ture of the labeling function to implement algo- 
rithms such as the state generation algorithm in [ ], 
which, under certain circumstances, could be used 
to produce the money state. For example, consider 
a thermal distribution for which each bit string 
has probability proportional to e~^ c ^ x \ where (3 
is an arbitrary constant and c (x) is the number 
of clauses that the string x violates. If for all 
(3 we could construct a rapidly mixing Markov 
chain with this stationary distribution, then we 
could apply the state generation algorithm men- 
tioned above. A naive Metropolis -Hastings con- 
struction that flips single bits gives Markov chains 
that are not rapidly mixing at high (5, but some 
variants may be rapidly mixing. We do not know 
whether quantum sampling algorithms based on 
such Markov chains can run in polynomial time. 

Due to this type of attack, and because we do 
not have a security proof, we do not claim that this 
money is secure. 

3 Insecurity of a previously published 
quantum money scheme 

The only currently published public-key quan- 
tum money scheme, an example of quantum 
money with a classical secret, was proposed in [ ]. 



We refer to this scheme as stabilizer money. We 
show that stabilizer money is insecure by present- 
ing two different attacks that work in different pa- 
rameter regimes. For some parameters, a classi- 
cal algorithm can recover the secret from the de- 
scription of the verification circuit. For other pa- 
rameters, a quantum algorithm can generate states 
which are different from the intended money state 
but which still pass verification with high probabil- 
ity. Neither attack requires access to the original 
money state. 

The stabilizer money is parametrized by integers 
n, m and I and by a real number e £ [0, 1]. These 
parameters are required to satisfy \ <C 

The quantum money state is a tensor product of 
I different stabilizer states, each on n qubits, and 
the classical secret is a list of Pauli group opera- 
tors which stabilize the state. The bank generates 
an instance of the money by choosing a random 
stabilizer state for each of the I registers. To pro- 
duce the verification circuit, the bank generates an 
m x I table of n qubit Pauli group operators. The 
(i, j)th element of the table is an operator 

E i:j = (-i) 6 y4 J '®Af...<g>A« 

where each A l l £ {1, <r x , a y , <r z } and &y S 
{0,1}. Each element J3y of the table is generated 
by the following procedure: 

1. With probability 1 — e choose the by and, for 
each k, AS uniformly at random. 

2. With probability e choose the operator By to 
be a uniformly random element of the stabi- 
lizer group of \Ci). 

To verify the quantum money state, for each i the 
authenticator chooses j (i) £ [m] at random and 
measures 

Q = jY^ ® E i,m ® i®" 1 ' 1 - (2) 

i 

The authenticator accepts iff the outcome is greater 
than or equal to |. Note that measuring the op- 
erator Q is equivalent to measuring the operator 
f° r eacri register i £ [I] and then averag- 
ing the results, since the measurements on differ- 
ent registers commute. 

The state |Ci) |C 2 )...|Ci) is accepted by this 
procedure with high probability since the proba- 
bility of measuring a +1 for the operator Bij(i) on 
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the state |Cj) is . The mean value of the op- 
erator Q in the state | Ci } | Ca } . . . j ) is therefore e, 
since it is simply the average of the Ei jU) for each 
register i £ [I]. The parameter I is chosen so that 
■4 = Q (n) so the probability that one measures Q 
to be less than | is exponentially small in n. 

Our attack on this money depends on the param- 
eter e. Our proofs assume that m = poly(n), but 
we expect that both attacks work beyond the range 
in which our proofs apply. 

3.1 Attacking the verification circuit for 



e < 
For e < 



16\/rn 



16 ^- and with high probability over 
the table of Pauli operators, we can efficiently gen- 
erate a state that passes verification with high prob- 
ability. This is because the verification algorithm 
does not project onto the intended money state but 
in fact accepts many states with varying probabil- 
ities. On each register, we want to produce a state 
for which the expected value of the measurement 
of a random operator from the appropriate column 
of E is sufficiently positive. This is to ensure that, 
with high probability, the verifier's measurement 
of Q will have an outcome greater than |. For 
small e, there are many such states on each register 
and we can find enough of them by brute force. 

We find states that pass verification by working 
on one register at a time. For each register i, we 
search for a state pi with the property that 



Tr 



J' =1 / . 



> 



1 



O 



1 



(3) 

As we show in Appendix A, we can find such states 
efficiently on enough of the registers to construct a 
state that passes verification. 

3.2 Recovering the classical secret for e > 

c 

We describe how to recover the classical secret 
(i.e. a description of the quantum state), and thus 
forge the money, when the parameter e > -J= for 
any constant c > 0. We observe that each column 
of the table E contains approximately em com- 
muting operators, with the rest chosen randomly, 
and if, in each column, we can find a set of com- 
muting operators that is at least as large as the 



planted set, then any quantum state stabilized by 
these operators will pass verification. 

We begin by casting our question as a graph 
problem. For each column, let G be a graph whose 
vertices correspond to the m measurements, and 
connect vertices i and j if and only if the corre- 
sponding measurements commute. The vertices 
corresponding to the planted commuting measure- 
ments now form a clique, and we aim to find it. 

In general, it is intractable to find the largest 
clique in a graph. In fact, it is NP-hard even to 
approximate the size of the largest clique within 
n 1_e , for any e > [1 1]. Finding large cliques 
planted in otherwise random graphs, however, can 
be easy. 

For example, if e = 17 ( l ^= L ^ , then a simple 
classical algorithm will find the clique. This algo- 
rithm proceeds by sorting the vertices in decreas- 
ing order of degree and selecting vertices from the 
beginning of the list as long as the selected vertices 
continue to form a clique. 

We can find the planted clique for e > ^= for 
any constant c > in polynomial time using a 
more sophisticated classical algorithm that may be 
of independent interest. If the graph were obtained 
by planting a clique of size e^/m in a random graph 
drawn from G(m, 1/2), Alon, Krivelevich, and 
Sudakov showed in [ ] that one can find the clique 
in polynomial time with high probability. 3 Unfor- 
tunately, the measurement graph G is not drawn 
from G(m, 1/2), so we cannot directly apply their 
result. However, we show in appendix A that if G 
is sufficiently random then a modified version of 
their algorithm works. 

4 Conclusions 

Quantum money is an exciting and open 
area of research. Wiesner's original scheme is 
information-theoretically secure, but is not public- 
key. In this paper, we proved that the stabilizer 
construction for public -key quantum money [ ] is 
insecure for most choices of parameters, and we 
expect that it is insecure for all choices of pa- 
rameters. We drew a distinction between schemes 



3 Remember that G (m, p) is the Erds-Rnyi distribution over 
m-vertex graphs in which an edge connects each pair of ver- 
tices independently with probability p. The AKS algorithm was 
later improved [6] to work on subgraphs of G(n,p) for any 
constant p, but our measurement graph G is not of that form. 
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which use a classical secret and those which are 
collision-free. We gave a blueprint for how a 
collision-free scheme might be devised. We de- 
scribed an illustrative example of such a scheme, 
but we have serious doubts as to its security. 

It remains a major challenge to base the secu- 
rity of a public-key quantum money scheme on any 
previously-studied (or at least standard-looking) 
cryptographic assumption, for example, that some 
public-key cryptosystem is secure against quan- 
tum attack. Much as we wish it were otherwise, 
it seems possible that public-key quantum money 
intrinsically requires a new mathematical leap of 
faith, just as public -key cryptography required a 
new leap of faith when it was first introduced in 
the 1970s. 
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A Details of the attack against stabi- 
lizer money for e < 

For e < 16 \^ and with high probability in the 
table of Pauli operators, we can efficiently generate 
a state that passes verification with high probabil- 
ity. Our attack may fail for some choices of the 
table used in verification, but the probability that 
such a table of operators is selected by the bank is 
exponentially small. 

Recall that each instance of stabilizer money is 
verified using a classical certificate, which consists 
of an to x Z table of n qubit Pauli group operators. 
The (i,j)th element of the table is an operator 

Eij = (-l)*«4 J '®4 J '...®i4« 

where each A% e {1, <r x , <r y , a z } and bij e 
{0,1}. 

We will use one important property of the algo- 
rithm that generates the table of Pauli operators: 
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with the exception of the fact that —I® n cannot 
occur in the table, the distribution of the tables is 
symmetric under negation of all of the operators. 

The verification algorithm works by choosing, 
for each i, a random j (i) S [m]. The verifier then 
measures 



E 



(4) 



The algorithm accepts iff the outcome is greater 
than or equal to |. Note that measuring the op- 
erator Q is equivalent to measuring the operator 
-Ejj(j) for each register i € [I] and then averag- 
ing the results, since the measurements on differ- 
ent registers commute. 

To better understand the statistics of the operator 
Q, we consider measuring an operator Ei t ju\ on a 
state pi, where 6 [to] is chosen uniformly at 
random. The total probability Pi(pi) of obtaining 
the outcome +1 is given by 



Pi(Pi) 



1 



Tr 



1 + E, 



3=1 

+- Tr [H®pi 



where (for each i G [I]) we have defined the Hamil- 
tonian 

1 



3=1 



We use the algorithm described below to inde- 
pendently generate an n qubit mixed state pi on 
each register i £ [/]. At least 1 /i of these states 
pi (w.h.p. over the choice of the table E) will have 
the property that 



Tr[£fW pi ] > 



and the rest have 



1 



O 



1 



Pi(p i )>\~o(- 
2 V TO 



(5) 



(6) 



which implies that 

Epi(Pi) > l + ^rr= 

i 2 Oy'TTl 

We use the state 



O 



p = pi ® p2 <g> ... &> ^ 



as our forged quantum money. If the verifier se- 
lects j (i) at random and measures Q (from equa- 
tion 4), then the expected outcome is at least 

+ °& + and the P robabil " 



ity of an outcome less than 



(for e < 



the verifier can only reject if this occurs) is expo- 
nentially small for to sufficiently large by inde- 
pendence of the registers. Therefore the forged 
money state p is accepted by Aaronson's verifier 
with probability that is exponentially close to 1 if 

Before describing our algorithm to generate the 
states {pi}, we must understand the statistics (in 
particular, we consider the first two moments) of 
each ifW on the fully mixed state J^. We will 
assume that, for j ^ k, ^ E^. We also as- 
sume that the operators ±/®7®/...(g)7do not 
appear in the list. Both of these assumptions are 
satisfied with overwhelming probability. The first 
and second moments of ffW are 



and 



Tr 



H (i) 



Tr 



2 I 

2" 



= 



(7) 



2"" Tr 
1 

TO 



9 ^ E iJ E i,k 



(8) 



Now let us define /j to be the fraction (out of 2") 
of the eigenstates of #w which have eigenvalues 
in the set L 11 U f— 1, — „ 7— 1. Since the eigen- 

values of i?w are bounded between —1 and 1, we 
have 



Tr 



< /i + (1 - /i) 



1 

4to 



Plugging in equation 8 and rearranging we obtain 

/,> 3 



4to — 1 



We also define gi to be the fraction of eigenstates 
of ffW that have eigenvalues in the set 1 „ 11. 
The distribution (for any fixed i) of Eij as gener- 
ated by the bank is symmetric under negation of 
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all the Eij, so with probability at least 1 /2 over the 
choice of the operators in the row labeled by i, the 
fraction satisfies 



We assume this last inequality is satisfied for at 
least 1 /i of the indices i E [I], for the particular 
table that we are given. The probability that 
this is not the case is exponentially small in /. 

Ideally, we would generate the states pi by 
preparing the fully mixed state, measuring fl"W, 
keeping the result if the eigenvalue is at least , 
and otherwise trying again, up to some appropriate 
maximum number of tries. After enough failures, 
we would simply return the fully mixed state. It 
is easy to see that outputs of this algorithm would 
satisfy eq. 3 with high probability. 

Unfortunately, we cannot efficiently measure 
the exact eigenvalue of an arbitrary Hermi- 
tian operator, but we can use phase estimation, 
which gives polynomial error using polynomial re- 
sources. In appendix A. 2 we review the phase esti- 
mation algorithm which is central to our procedure 
for generating the states pi. In section A.l, we de- 
scribe an efficient algorithm to generate pi using 
phase estimation and show that the resulting states, 
even in the presence of errors due to polynomial- 
time phase estimation, are accepted by the verifier 
with high probability, assuming that the table 
has the appropriate properties. 

A.l Procedure to Generate p t 

We now fix a particular value of i and, for con- 
venience, define H = so that all the eigen- 
values of H lie in the interval \—\, j]. We denote 
the eigenvectors of H by {IV'j')} ar, d write 

The positive eigenvalues of H map to phases <f>j in 
the range [0, 4] and negative eigenvalues of H map 
to [1,1] . 

We label each eigenstate of H as either "good" 
or "bad" according to its energy. We say an eigen- 
state \ipj) is good if £ [je^tn ' O tnerw rs e we 
say it is bad (which corresponds to the case where 

^e[o >Is ^)u[f,i]). 

We use the following algorithm to produce a 
mixed state pi . 



1. Setfc= 1. 

2. Prepare the completely mixed state In 
our analysis of this step, we will imagine 
that we have selected an eigenstate \tp p ) of H 
uniformly at random, which yields identical 
statistics. 

3. Use the phase estimation circuit to measure 
the phase of the operator e 2nlH . Here the 
phase estimation circuit (see appendix A. 2) 
acts on the original n qubits in addition to 
q = r + [log (2 + §)] ancilla qubits, where 
we choose 

r = [log(20m)l 

4. Accept the resulting state (of the n qubit reg- 
ister) if the measured phase <fi' = ^ is in the 
interval L \— — t^t- , si. In this case stop and 

L 8v"i 20m 5 2 J * 

output the state of the first register. Otherwise 
set k = k + 1. 

5. If k — m 2 + 1 then stop and output the fully 
mixed state. Otherwise go to step 2. 

We have chosen the constants in steps 3 and 4 to 
obtain an upper bound on the probability pi, of ac- 
cepting a bad state in a particular iteration of steps 
2, 3, and 4: 

Pb = Pr (IVv) i s bad and you accept ) 

< Pr (accept given that \ip p ) was bad) 

< S by equation 14. 

Above, we considered two cases depending on 
whether or not the inequality 9 is satisfied for the 
register i. We analyze the algorithm in these two 
cases separately. 

Case 1: Register i satisfies inequality 9 

In this case, choosing p uniformly, 

Pr ( J > > 7TT=) ^ (10) 
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This case occurs for at least l /i of the indices i € 
[I] with all but exponential probability. 

The probability p g that you pick a good state (in 
a particular iteration of steps 2, 3, and 4) and then 
accept it is at least 

p g = Pr (\ijjp) is good and you accept) 



Case 2: Register i does not satisfy inequal- 
ity 9 

This case occurs for at most 3 /4 of the indices 
i £ [l] with all but exponentially small probability. 

The probability of accepting a bad state for reg- 
ister i at any point is 



> Pr 



Pr 



> 6 n > 



> 6r, > 



x Pr ( accept given - > <p„ > — -= 

4 8i/m 



and you accept Pr ( accept a bad state ever ) < V" s = 1 (13) 

/ ^— ' m 

fc=i 

So the state pi which is generated by the above 
procedure will satisfy 



Pr | - > 



> 



> 



1 



(1-5) 



3m - 2 
1 



> , for m sufficiently large. 

4m 



Thus the total probability of outputting a good 
state is (in a complete run of the algorithm) 



Pr(output a good state) 

2 

n i 

k=l 

Pa 



(11) 



> 



> 



> 



> 



Pg + 


Pb 


Pa 




Pa + 


Pb 


Pa 




Pa + 




Pa 




Pa + 




1 





(i-(i- Pg - Pb y 

i _ e -p 9 ™ 2 



i + 

m 

1-0 



(12) 



I _ e Ps m j f or m sufficiently large. 



1 



So in this case, the state pi will satisfy 



Tr 



> Pr (output a good state) 



1 



4^/m 

(1 — Pr (output a good state)) 

1 o fl 



4\/m 



Tr 



H (i) 



Pi 



> — Pr (accept a bad state ever) 
1 

m 

We have thus shown that equation 5 holds for all 
indices i which satisfy inequality 9 and that equa- 
tion 6 holds for the rest of the indices. As dis- 
cussed above, this guarantees (assuming at least 
!/4 of the indices i satisfy inequality 9) that our 
forged state p = pi <£> p 2 ® •■• <8> Pi is accepted by 
the verifier with high probability if e < 16 \^ ■ 

A.2 Review of the Phase Estimation Algo- 
rithm 

In this section we review some properties of the 
phase estimation algorithm as described in [ ]. We 
use this algorithm in appendix A to measure the 
eigenvalues of the operator e 2nlH . The phase es- 
timation circuit takes as input an integer r and a 
parameter S and uses 



q = r + \log{2 + -)] 

ancilla qubits. When used to measure the opera- 
tor e 2lTlH , phase estimation requires as a subrou- 
tine a circuit which implements the unitary opera- 
tor e 27TlHt for t < 2 r , which can be approximated 
efficiently if 2 r = poly(n). This approximation 
of the Hamiltonian time evolution incurs an error 
which can be made polynomially small in n using 
polynomial resources (see for example [9]). We 
therefore neglect this error in the remainder of the 
discussion. The phase estimation circuit, when ap- 
plied to an eigenstate \ipj) of H such that 



2-KiH 
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and with the q ancillas initialized in the state \0)® q , 
outputs a state 

where \dj) is a state of the ancillas. If this ancilla 
register is then measured in the computational ba- 
sis, the resulting q bit string z will be an approxi- 
mation to (j>j which is accurate to r bits with prob- 
ability at least 1 — S in the sense that 



Pr 



z 



> 



1 

¥ 



< 6. 



(14) 



In order for this algorithm to be efficient, we 

choose r and 6 so that 2 r = poly(n) and 6 = 
l 

poly(ra) " 

B Insecurity of the Stabilizer Money 

for e > -£= 

In this section, we will describe how to forge 
the Stabilizer Money when the number of commut- 
ing measurements is at least Cy/m for any constant 
c > 0. We will consider each column of the table 
separately. For the i th column, let M — Mj be the 
list of possible measurements for ip — ipf, and let 
K = Ki denote the set of commuting measure- 
ments that stabilize xjj. Set k — \K\ and m = \M\. 
We will first consider the case k > 100^/m, and 
we will then show how to reduce the case k > 
Cy/m to this case for any constant c > 0. The algo- 
rithm we present has success probability 4/5 over 
the choice of the random measurements. We have 
not attempted to optimize this probability, and it 
could be improved with a more careful analysis. 

We begin by casting our question as a graph 
problem. Let G be a graph whose vertices cor- 
respond to the m measurements, and connect ver- 
tices % and j if and only if the corresponding mea- 
surements commute. The set K now forms a 
clique, and we aim to find it. 

In general, it is intractable to find the largest 
clique in a graph. In fact, it is NP-hard even to 
approximate the size of the largest clique within 
n 1_e , for any e > [11]. However, if the graph 
is obtained by planting a clique of size ey/rn in an 
(Erds-Rnyi) random graph drawn from G(m, 1/2), 
Alon, Krivelevich, and Sudakov showed that one 
can find the clique in polynomial time with high 
probability [3]. Unfortunately, the measurement 



graph G is not drawn from G(m, 1/2), so we can- 
not directly apply their result. However, we shall 
show that G is sufficiently random that a modi- 
fied version of their approach can be made to go 
through. The main tool that we use is to show that 
G is fc-wise independent and that this is enough for 
a variant of the clique finding algorithm to work, k 
wise independent random graphs were studied by 
[4], although they were interested in other proper- 
ties of them. 

B.l Properties of the Measurement Graph 

To analyze G, it will be convenient to use a lin- 
ear algebraic description of its vertices and edges. 
Recall that any stabilizer measurement on n qubits 
can be described as a vector in Fj™ as follows: 

• for j < n, set the j th coordinate to 1 if and 
only if the operator restricted to the f h qubit 
is X or Y, and 

• for n < j < 2n, set the j th coordinate to 
1 if and only if the operator restricted to the 
(j — n) th qubit is Y or Z. 

For v, w e F|", let 

/ \ T / On In \ 

[i n o„J w ' 

where /„ and 0„ are the nxn identity and all-zeros 
matrices, respectively. It is easy to check that the 
stabilizer measurements corresponding to v and w 
commute if and only if (v, w) =0 (over F 2 ). 

Using this equivalence between Pauli group op- 
erators and vectors, each vertex u of the graph 
G is associated with a vector s u . There is an 
edge between vertices u and v in G if and only 
if (s u , s v ) = 0. This means that the 2mn bits that 
encode the vectors {s u } also encode the entire ad- 
jacency matrix of G. There are m (m — 1) /2 pos- 
sible edges in G, so the distribution of edges in G is 
dependent (generically, m(m — 1) /2) > 2mn). 
Fortunately, this dependence is limited, as we can 
see from the following lemma. 

Lemma 1. Let v\, . . . vt,u be measurements such 
that s Vl , . . . s Vt , s u are linearly independent, and 
let Xi,...,x t £ {0)1} be arbitrary. Let v 
be a random stabilizer measurement such that 
(s v ,s Vi ) = Xi for every i and the vectors 
s Vl , . . . , s Vt , s u , s v are linearly independent. Then 



¥r{{s v , s u ) = 0) = l/2±0 



1 



2 2(n-t) 
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Proof. The vector s v € {0,1} 2 ™ is chosen uni- 
formly at random from the set of vectors satisfying 
the following constraints: 

1. For every i, we have (s v , s v .) — Xj. 

2. The vectors s Vl , . . . s Vt ,s u ,s v are linearly in- 
dependent. 

Let So denote the set of vectors that satisfy these 
constraints and have (s v , s u ) = 0, and let Si be 
the set of vectors that satisfy these constraints and 
have (s v ,s u ) = 1. We have 



Pr«s„,s u ) =0) 



\So\ 



Sq + SA 



The vectors s Vl , . . . s Vt , s u are linearly indepen- 
dent, so there are 2 2 ™~*~ 1 solutions to the set of 
equations (s v , s u ) = 1 and (s V) s Vi ) = X{ for all i. 
This implies that |5i| < 2 2 "-*" 1 . 

Constraint 2 rules out precisely the set of vectors 
in the span of s Vl) . . . , s Vt , s u . This is a (t + 1)- 
dimensional subspace, so it contains 2 t+1 points, 
and thus \S \ > 2 2 "-'- 1 - 2 t+1 . It follows that 



Pr((s v ,s u ) = 0) > 



_ 2 t+i 



22n-t _ 2*+l 

1 1 

2 ~ 2 2n-2t _ i 



1 



o 



1 



2 2(n-i) 



Repeating this argument gives the same bound for 
Pr((s v , s u ) = 1), from which the desired result 
follows. □ 

B.2 Finding Planted Cliques in Random 
Graphs 

Our algorithm for finding the clique K will be 
identical to that of Alon, Rrivelevich, and Su- 
dakov [ ], but we will need to modify the proof of 
correctness to show that it still works in our setting. 
In this section, we shall give a high level descrip- 
tion of [ ] and explain the modifications necessary 
to apply it to G. The fundamental difference is 
that Alon et al. rely on results from random ma- 
trix theory that use the complete independence of 
the matrix entries to bound mixed moments of ar- 
bitrarily high degree, but we only have guarantees 
about moments of degree O(logm). As such, we 



must adapt the proof to use only these lower order 
moments. 

Let G(m, 1/2, k) be a random graph from 
G(m, 1/2) augmented with a planted clique of 
size k, and let A be its adjacency matrix. Let 
Ai > A2 > • ■ ■ > A m be the eigenvalues of A, 
and let v\, . . . , v m be the corresponding eigenvec- 
tors. To find the clique, Alon et al. find the set 
W of vertices with the k largest coordinates in v^. 
They then prove that, with high probability, the set 
of vertices that have at least 3fc/4 neighbors in W 
precisely comprise the planted clique. 

The analysis of their algorithm proceeds by ana- 
lyzing the largest eigenvalues of A. They begin by 
proving that the following two bounds hold with 
high probability: 

• Ai > (| + o(l)) m, and 

• A l < (1 + o(l)) v^n for alii > 3. 

The second of these bounds relies heavily on a re- 
sult by Fredi and Komls about the eigenvalues of 
matrices with independent entries. The indepen- 
dence assumption will not apply in our setting, and 
thus we will need to reprove this bound for our 
graph G. This is the main modification that we 
will require to the analysis of [3]. 

They then introduce a vector z that has Zi = 
(to — k) when vertex i belongs to the planted 
clique, and has Zj = — k otherwise. Using 
the above bounds, they prove that, when one ex- 
pands z in the eigenbasis of A, the coefficients of 
vi,i>3, ... ,v m are all small compared to ||z||, so 
z has most of its norm coming from its projection 
onto V2- This means that V2 has most of its weight 
on the planted clique, which enables them to prove 
the correctness of their algorithm. 

Other than the bound on A3, ... , A m , the proof 
goes through with only minor changes. The bound 
on Ai = (1 + o(1))to/2, follows from a simple 
analysis of the average degree, which holds for the 
measurement graph as well. The rest of their proof 
does not make heavy use of the structure of the 
graph. The only change necessary is to replace var- 
ious tail bounds on the binomial distribution and 
Chebyschev bounds with Markov bounds. These 
weaker bounds result in a constant failure proba- 
bility and weaker constants, but they otherwise do 
not affect the proof. (For brevity, we omit the de- 
tails.) As such, our remaining task is to bound A; 
for i > 3. 
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B.3 Bounding A 



3) 



bound: 



To bound the higher eigenvalues of the adja- 
cency matrix, Alon et al. apply the following theo- 
rem of Fredi and Komls [ ]: 

Lemma 2. Let R be a random symmetric m x m 
matrix in which Ri^ = Ofor all i, and the other en- 
tries are independently set to ±1 with Vr{Ri j 
1 ) = Pr(i?j j = —1) = g. The largest eigenvalue 
of R is at most m+0(m 1 / 3 log m) with high prob- 
ability. 

We will prove a slightly weaker variant of this 
lemma for random measurement graphs. Let B be 
a matrix that is generated by picking m random 
stabilizer measurements Mi M m and setting 



and Bj 



0, Bi 



1 if Mi commutes with M. 



-1 if Mi anticommutes with Ma 



3' 

The 

main technical result of this section will be the fol- 
lowing: 

Theorem 3. With high probability, the largest 
eigenvalue of B is at most 10y 



E 



E 



E E 



e n^A +1 

t+1 



(15) 



where we take set l\ = i and £ t +i = j, and 
we sum over all possible values of the indices 



We break the nonzero terms in this summation 
into two types of monomials: those in which every 
matrix element appears an even number of times, 
and those in which at least one element appears 
an odd number of times. In the former case, the 
monomial is the square of a ±l-valued random 
variable, so we have 



Alon et al.[ ] show how to transform a bound 
on the eigenvalues of R into a bound on the third 
largest eigenvalue of A. This reduction does not 
depend on the properties of G, and it works in our 
case when applied to B. This gives a bound of 
I0y/m on the third largest eigenvalue of the adja- 
cency matrix of G. 

The proof of Theorem 3 will rely on the follow- 
ing lemma, which shows that the entries of small 
powers of the matrix B have expectations quite 
close to those of R. 



E 



= E 



=i, 



and it suffices to focus on the latter case. By the 
same reasoning, we can drop any even number of 
occurrences of an element, so it suffices to estimate 
the expectations of monomials of degree at most t 
in which all of the variables are distinct. 



Lemma 4. Fort < O(logm), 

E [(B% tj ] = E [(RXj] ± 

Proof. [Proof of Lemma 4] With high probability, 
for every subset of vertices U such that \U\ < t < 
0(log m), we have that the set {s u \u E U} is lin- 
early independent over F 2 . We condition the rest 
of our analysis on this high probability event. 

We begin by expanding the quantity we aim to 



Any such monomial in the R^ j has expectation 
zero by symmetry, so we need to provide an upper 
bound on terms of the form Ila=i ®i a ,i a+1 , where 
q < t < r and each matrix element appears at most 
once. 

Consider the probability that £> 9 -i,<j = 1, where 
we take the probability over the choice of the 
2n bit string s q , given that for any a < q, we 
have -B QjQ +i = x a for some value x a . We are 
computing this expectation conditioned on the the 
s u being linearly independent, so we can apply 
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Lemma 1 . This gives 

q 

a=l 

= X] Pr (( S ^' S ^ + i) = X <*) 



Xx,—Xq-1 

X 



l Pr((Sg_l,Sg) = l\Xl, . .-Xg-l) 

Pr((s 9 _i,s g ) = — l|aci, . . 



=0 



1 



2 2(n-t) 



X] Pr (( S ^' S ^ + l) = X a) 



xi,...x„_i 



1 



22(n-t) 



There are n°( logm ) terms in the summation of 
eq. , and we have shown that each term is at most 
O (l/2 2{n -^), so we obtain 

/ 0(logm)\ i 

as desired. □ 

We can now use this lemma to prove Theorem 3. 

Proof. [Proof of Theorem 3] Consider a random 
matrix R, with Ri i = and each other cell 
distributed independently at random according to 
Pr(i^j = 1) = 1'n: I!,,, = -1) = |. Lemma 3.2 
of [ ] shows that, for t < m 1 / 3 , 

Tr(E(i?*)) = m* /2+1 4*. 

For t > 10 log m, Lemma 4 implies that 



Tr(E(B*)) = Tr(E(i?*)) ± 
= m*/ 2+1 4* ± 



1 



20(n-i) 



1 



2 f2(n-t) ■ 

Let Ai > • • • > A„ be the eigenvalues of B. For 
any even t, one has that 

Trfl* = X A * > A i- 

i 

Applying this relation with t = 10 log m gives: 

Pr(Ai > 10Vm) = Pr (A* > (lOvM*) 
< (10Vm)" t EA* 1 < (10Vrn) _t m* /2+1 4' 

□ 



Plugging the bound from Theorem 3 into the ar- 
gument from the section B.2 and computing the 
correct constants yields that the algorithm finds a 
planted clique in G of size at least lOO^/m with 
probability 4/5. 



B.4 Finding Cliques of Size cym 

To break stabilizer money for all e > we 
extend our algorithm to find cliques of size Cy/m 
for any c > 0. In [3], Alon et al. show how to 
bootstrap the above scheme to work for any c. 

The procedure used by Alon et al. is to iterate 
over all sets of vertices of size log(100/c), and, 
for each such set S, to try to find a clique in the 
graph Gs of the vertices that are connected to all 
of the vertices in S. 

When S is in the planted clique, Gs also con- 
tains the clique. However, \Gs\ ~ c|G|/100, as 
most of the vertices that are outside the clique are 
removed. As Gs behaves like a random graph with 
the same distribution as the original graph but with 
a planted clique of size 100yfGs[, one can find it 
using the second largest eigenvector. 

To use the same algorithm in our case, we ap- 
ply Lemma 4 with parameter k + log 100/c. This 
shows that, up to a small additive error, the ex- 
pected value of the k th power of the adjacency 
matrix of Gs behaves like the expected value of 
the fc th power of the adjacency matrix of a random 
graph, which was all that we used in the proof. 
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